In the previous posts (here and here) we considered the ascendancy of APIs and the security challenges they pose. In this post, we will examine how the Barracuda Web Application Firewall can help secure REST APIs. Note that the BWAF applies the same industry-leading technology for detecting malicious inputs that are used in protecting web applications. Of course, this includes de-obfuscations, and protocol sanitizations amongst a host of other checks. Many of these also apply equally to AJAX based web applications.

Filtering Malicious Data from Untrusted User Inputs in JSON/XML

Developers of programming frameworks and bespoke software alike often omit input sanitization from JSON and XML, despite enforcing it in traditional web interfaces. For example, the JSON gem in ruby was found to be vulnerable to SQL Injections and so was the Perl module SQL Maker. This opens up all the OWASP Top 10 attacks through your APIs, even though they may have been locked down through the web interface.

In our previous post we alluded to new challenges in securing RESTful APIs. As promised, let us dive into some of the details.

Let us begin with some typical aspects of REST that have bearings on API security.

Use of HTTP/S: Instead of using complex technology like CORBA, web services, RPC, etc., it uses simple HTTP for communication between machines. Some APIs support HTTPS only. Thus, RESTful services are subject to all the application layer security vulnerabilities that traditional web applications have had to deal with over the years (e.g. OWASP Top 10, etc).

Use of HTTP Methods for CRUD: REST-based services map CRUD (Create/Read/Update/Delete) operations, to HTTP methods (PUT/GET/POST/DELETE) respectively. An important design consideration is limiting the methods to a resource (e.g. no DELETE on /catalog), but it is often not enforced correctly in the implementation. This can lead to undesirable consequences.

For a while now, APIs have been considered a tactical tool in driving a broader business strategy. But in the evolving digital landscape they are now being increasingly considered as the very lynchpins of core business strategies – be it for the enterprise or consumer businesses. Technologically, this spans not only the emerging spectrum of cloud, mobile applications, (*)aaS and IoT, but even traditional enterprise software like relational databases. Business-wise, everyone from hospitality, travel, content, media, health to finance and manufacturing is dabbling with APIs.